Website Hack

[CriticalRabbit 6]

​Hi,

 

This is a little off topic, hence the posting here, but I'm curious as to the acceptable level of paranoia regarding downloading applications from trusted websites. Specifically, the latest hack of Linux Mint's website has me worrying that a similar thing could have occurred, without my knowledge, when I originally downloaded my current version of Debian, that I'm using right now.

 

I originally downloaded the image from their website and checked the sha256 checksum but did not verify the pgp signature of the sha256. I have the original image burned on DVD but I don't know how to check the sha256 on the DVD and compare it to the sha256 on Debians website.

 

So, how likely is it that a hack, to the extent that a malicious download link could be replaced on a website (like what happened with Mint), would go unnoticed by the site's administrators? Further, if a hack was identified, do you think it is likely that the developers (e.g., debian.org) would ever not notify users?

 

Cheers,

Rabbit

 

[zhang888 1066]

From similar events that happened in the past, where open source projects were backdoored,

the developers and the community usually found this out in matter of hours, just like now with Mint.

 

Your best practice would be downloading an ISO that was published for a while, for example if you

downloaded Linux Mint 17.3 yesterday and searched the hashes online, you wouldn't find any.

Why? Because they are too fresh and were modified by the attackers.

Second good choice could be torrent downloads. While it's rather easy to "poison" an HTTP mirror,

it is much harder to poison a swarm with your fake iso, you need to create a torrent, generate a lot of

seeders, then publish it on the hacked website, etc.

 

Takeaways?

GPG verification of downloaded isos = good

md5/sha verification of downloaded isos = good

Download torrent where possible = good

Google searches of hashes = good

 

 

To your question - is it likely that big open source projects will keep such news "secret"?

I think the answer is no. A hack can happen to absolutely anyone, and any project.

The fact that they revealed it as quickly as possible shows transparency and responsibility,

whether if a project would decide to hide this fact, this will not be forgotten by the community

forever and will be a very big mistake. Besides, you cannot hide such facts forever. Most

attackers will likely use this information/asset that was breached, and sooner or later the

source of the leak will be identified. I am not aware of an open source project that tried to

hide such information in the past, maybe someone else can find examples.

 

How to calculate a checksum of any given media?

In *nix, simply run

sha256sum /dev/cdrom

 

And use the block device that is representing your media. Can be cdrom, usb, even floppy

[CriticalRabbit 6]

​

If I use “sha256sum /dev/cdrom” will that not give me it for the entire size of the DVD, or just the size of the OS image on the DVD?

 

Cheers

[CriticalRabbit 6]

I just compared the disc and it matched. Thanks for your help.

[iwih2gk 93]

FYI -  I don't have time to find the link but md5 is no longer completely trustworthy.  Sha 256/512 are strong, but the best is always the verify of the iso/sig using GPG.  Its so simple to do and when installing an entire major OS that is the time to be CERTAIN.

 

With the debian folks I hang out with one of us would have checked and found a new mis-match of the iso pretty quickly.  We never install a full debian OS without gpg of the download.  Now if you were MITM'd only you would see the iso that YOU downloaded.  Just another reason to verify the sig and file  with GPG.

 

This may sound over the top for you but I suggest getting in the practice of loggiing/saving the browser cert credential of major sites from which you download such important stuff as an OS.  The https cert will have a unique and exact fingerprint that is only possible to derive with access to the private key of the certificate.  If you confirm and save that fingerprint then you can verify it easily before the download KNOWING then you are at the actual site and not an imposter.

 

e.g. -- E3:FF:B7:07:DC:2E:2C:24:F5:C2:95:7E:FF:B3:39:CD:C1:8A:B5:BD:9D:00:35:E7:03:06:F2:7F:C3:FA:EF:67

 

Above is the sha256 for https AirVpn.  If you click on the lock in your browser and then view the certificate you will see that fingerprint.  If your number is different you are not at the real Air.  See how easy that is.  Of course that means you need to know the fingerprint ahead of time.  There are some sites that have more than one but most use only one, and especially sites dealing with privacy concerns.

 

I am just trying to help so you can relax and be certain when dealing with such important downloads.

[cm0s 118]

don't drink decaf and yer good to go

[CriticalRabbit 6]

CriticalRabbit for up to date info on any concerns hit their irc.spotchat.org

linuxmint-help

linuxmint-chat

pimpmymint

 

​Thanks for the info.

[zhang888 1066]

Also to IRC servers:

updates.absentvodka.com
updates.mintylinux.com
eggstrawdinarry.mylittlerepo.com
linuxmint.kernel-org.org
updates.absentvodka.com

 

Channel #mint passkey "bleh" to see if you find yourself there.

 

 

 

This was a very bad attempt to backdoor a distro, I don't want to imagine what a real

adversary could do if a bunch of script kiddies could inject an old IRC bot there.

[rickjames 106]

I don't want to imagine what a real adversary could do if a bunch of script kiddies could inject an old IRC bot there.

This ^